Archive > 20.1 Legacy Series

Wireguard with MultiWAN setup

(1/1)

qdrop:
Hello everybody.

I successfully managed to setup an OPNsense appliance with a multiwan setup. It behaves as intended - at least for the LAN network.

On top of that I successfully configured Wireguard. It too behaves as intended.

But there's one catch: I didn't find a solution to make Wireguard using the failover gateway group as the gateway to establish the tunnel. It for some reason just uses WAN2 which is listed as "active" in the single gateways view. Changing the priorities bricks the failover group for some reason - so this ain't an option.

How can I make sure, Wireguard uses the failover group itself?

Best

Thomas

mimugmail:
This seems to be a limitation that WireGuard gateways doesn't support Gateway Groups

qdrop:
I actually got it working by enabling default gateway switching: https://docs.netgate.com/pfsense/en/latest/book/multiwan/multi-wan-terminology-and-concepts.html#default-gateway-switching

besecur3man:
Hi, I'm having trouble getting OPNSense multi wan configuration work with WireGuard.

I have a dual WAN OPNSense setup. And I have WireGuard setup and working fine, but only on the WAN that is the current default gateway. When the WAN which is the current default gateway is up, WireGuard peers can only establish connections over that WAN. Attempting to connect over the second WAN does not work. However, if the WAN with the default gateway is down, then WireGuard clients are able to connect using the second WAN.

Can you please clarify how you got it working? More specifically, were you able to get WireGuard to work such that peers can connect to either WAN when both WANs are up?

thanks -Jeremy

qdrop:
Well due to limitations of Wireguard we were never able to have two appliances with an active tunnel on each of them.

Instead - we have a master and slave configuration which is in-sync. We can then trigger enabling / disabling Wireguard with the CARP-events. Check the CARP-scripts to accomplish this.

But true HA / LB is not possible with WG (yet...). So all connection states will be dropped when having a failover-event.

The described setup was only set up in a lab-environment. We decided that hardware-failures are very rare and that we will fail-over manually when our master gateway crashes due to hardware issues.

HA / LB brings high complexity and cost. If our master gateway runs 5-10 years uninterrupted, it's hard to justify these costs to avoid a 20-30' downtime once or twice in that lifetime.

We'll integrate HA / LB when it's natively supported by WG / OPNsense.

Navigation

[0] Message Index

Go to full version